Saturday, July 14, 2007

Microsoft Windows Vista: Services’ Hardening

Service hardening is one of many new security mechanisms in Windows Vista and the next generation of Windows server, currently known as Longhorn Server. Because it's not always desirable or possible to disable Windows services that provide attackers with an exploitable point of attack, the new operating systems include features that make it more difficult for service exploits to do damage.

Here are a few facts you should know about service hardening:

SCM manages services:

Windows services are programs that are managed by the Service Control Manager (SCM), which maintains a database of installed services and manages each service's state. Usually services start automatically when Windows boots and run continuously, making them always available and thus attractive to attackers.

Higher privileges = greater exposure:

In previous Windows operating systems, most services ran under the LocalSystem account, which has a high level of privileges. That meant that if the service were compromised, attackers could do major damage because they would have access to almost everything.

Vista and Longhorn Server run services with lowest possible privileges:

In Vista and Longhorn, many of the services that used to run under LocalSystem now run under the NetworkService or LocalService accounts, which have a lower level of privileges. Services run with the lowest possible privileges. Any privileges that a service doesn't need are removed, which helps reduce the attack surface.

Vista protects services by using "isolation" techniques:

Isolation techniques includes Session 0 isolation, which prevents user applications from running in Session 0 (the first session created when Windows starts up). Only services and other applications that are not associated with a user session can run there. This protects the services from the actions of other applications.

Vista assigns a Security Identifier (SID) to each service:

Assigning an SID to each service allows services to be separated from one another and enables the operating system to apply the Windows access control model to restrict services' access to resources in the same way user and group accounts' access can be restricted.

In Vista, access control lists (ACLs) can now be applied to services:

An ACL is a set of access control entries (ACEs). Every resource on the network has a security descriptor that contains the ACLs assigned to it. Permissions defining who or what can access that resource are stored in the ACL.

Vista allows the application of network firewall policies to services:

The policy is linked to the service's SID. This allows you to control how the service is allowed to access the network and prevent it from using the network in ways it's not supposed to, such as sending outbound network traffic. The Vista Firewall is integrated with the service hardening feature.

Specific services can be restricted so that they can't make edits to the registry, write to system files, and so forth:

If a service needs to perform those actions to function properly, it can be restricted so that it can write only to specific areas of the registry or a file system. Services can also be prevented from making changes to configuration settings and performing other actions that can be exploited by an attacker.

Each service is pre-assigned a service hardening profile:

This profile defines what the service should and shouldn't be allowed to do. Based on this profile, the SCM assigns the services only the privileges they must have. This all happens transparently, with no configuration or administrative overhead required.

Service hardening does not prevent attackers from compromising services:

The Windows Firewall and other protective layers are designed to prevent that. The purpose of service hardening is to reduce the level of damage that can be done if the service does become compromised. It provides inner layer protection in Vista's multilayered security strategy.

No comments: